[TriLUG] Fwd: OpenSSH Security Advisory: Trojaned Distribution Files

Mike Johnson mike at enoch.org
Thu Aug 1 13:15:13 EDT 2002


Jonathan Rippy [jonathan.rippy at interpath.net] wrote:
 
> Personally, I think the developers should GPG sign the
> valid distributions.  Then, the tool could verify the signatures.

But what does this solve?  You would have to trust the person that
signed it, or someone in your web of trust would have to trust the
signer.  If I just start signing files, how do you know that you should
trust me?  If I create a new key, upload it to the keyservers, and start
signing things, are you going to trust what I've signed?  Why?
 
> Does any distro do this?  (I'd assume some do ... not sure off
> the top of my head.)

Red Hat signs each of their RPMs.  Dunno about others.

Mike
-- 
"Let the power of Ponch compel you!  Let the power of Ponch compel you!"
   -- Zorak on Space Ghost

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20020801/2eade74c/attachment.pgp>


More information about the TriLUG mailing list